Region Maps Custom Boundary CORS Error

Following the directions here Custom Region Maps in Kibana 6.0 I'm trying to connect a static http server for a custom region boundary geojson file to connect with Kibana.

Using npm http-server at Ubuntu command line in the appropriate sub-directory I am unable to connect from Kibana due to the following CORS error

Cannot download http://localhost:8000/custom_bdys.geojson file. Please ensure the CORS configuration of the server permits requests from the Kibana application on this host.

I have tried running http-server using several different options at the command line without success. Some of the options I've tried include:

http-server --cors='*' -p 8000
http-server --cors=* -p 8000
http-server --cors=Authorization -p 8000

Any suggestions on how to resolve this issue? Someone suggested Chrome browser might be an issue but I haven't tried to test this yet....

Thanks!

A brief update is that I have tested CORS from Kibana to my static http server and that appears to be working, but I still get the CORS error in the region maps
image

curl -H "Origin: https://22.22.22.93:5601" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS --verbose http://22.22.22.93:8000

* Rebuilt URL to: http://22.22.22.93:8000/
* Trying 22.22.22.93...
* TCP_NODELAY set
* Connected to 22.22.22.93 (22.22.22.93) port 8000 (#0)
OPTIONS / HTTP/1.1
> Host: 22.22.22.93:8000
> User-Agent: curl/7.55.1
> Accept: /
> Origin: https://22.22.22.93:5601
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 204 No Content
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin,x-requested-with,content-type,accept,range,*
< Access-Control-Allow-Methods: GET,HEAD,POST
< Date: Thu, 03 Jan 2019 17:44:42 GMT
< Connection: keep-alive
<
* Connection #0 to host 22.22.22.93 left intact

The issue was caused due to security mismatch between using SSL on Kibana host and and serving the custom layer *geojson from a non-encrypted http server. In Chrome there is a tiny little red icon in the top right hand of the url bar
image
Click this to ignore the security exception

Then if you explore the DevTools Console you can get the root cause of the error

Mixed Content: The page at 'https://22.22.22.93:5601/ [....omitted...] was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://22.22.22.93:8000/aus_state.geojson'. This content should also be served over HTTPS.

Note that you will also get a similar error in Chrome if you serve up the *geojson from HTTPS with an unverified or self-signed certificate.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.